From: Gil Bregman <gbregman@il.ibm.com>
Date: Thu, 26 Mar 2026 15:48:03 +0000 (+0200)
Subject: mgr/cephadm: Add KMIP server support for NVMeoF gateway
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=744e93938357cfcb48d755a35b66e95a2f97f59b;p=ceph.git

mgr/cephadm: Add KMIP server support for NVMeoF gateway

Fixes: https://tracker.ceph.com/issues/75739

Signed-off-by: Gil Bregman <gbregman@il.ibm.com>
---

diff --git a/src/cephadm/cephadmlib/daemons/nvmeof.py b/src/cephadm/cephadmlib/daemons/nvmeof.py
index 761211087c82..aa0d42227620 100644
--- a/src/cephadm/cephadmlib/daemons/nvmeof.py
+++ b/src/cephadm/cephadmlib/daemons/nvmeof.py
@@ -81,6 +81,7 @@ class CephNvmeof(ContainerDaemonForm):
         mounts[log_dir] = '/var/log/ceph:z'
         if mtls_dir:
             mounts[mtls_dir] = '/src/mtls:z'
+        mounts['/etc/kmip'] = '/src/certs/kmip:z'
         return mounts
 
     def _get_huge_pages_mounts(self, files: Dict[str, str]) -> Dict[str, str]:
diff --git a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2 b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2
index 37f0a60d22ff..e0743d95c64b 100644
--- a/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2
+++ b/src/pybind/mgr/cephadm/templates/services/nvmeof/ceph-nvmeof.conf.j2
@@ -84,6 +84,11 @@ server_cert = /server.cert
 client_cert = /client.cert
 root_ca_cert = /root.ca.cert
 
+{% if spec.kmip_cert_dir %}
+[kmip]
+cert_dir = {{ spec.kmip_cert_dir }}
+{% endif %}
+
 [spdk]
 tgt_path = {{ spec.tgt_path }}
 rpc_socket_dir = {{ spec.rpc_socket_dir }}
diff --git a/src/pybind/mgr/cephadm/tests/services/test_nvmeof.py b/src/pybind/mgr/cephadm/tests/services/test_nvmeof.py
index a2e8ef35874f..1ba83602dcb8 100644
--- a/src/pybind/mgr/cephadm/tests/services/test_nvmeof.py
+++ b/src/pybind/mgr/cephadm/tests/services/test_nvmeof.py
@@ -171,6 +171,9 @@ server_cert = /server.cert
 client_cert = /client.cert
 root_ca_cert = /root.ca.cert
 
+[kmip]
+cert_dir = ./certs/kmip/{{server_name}}
+
 [spdk]
 tgt_path = /usr/local/bin/nvmf_tgt
 rpc_socket_dir = /var/tmp/
diff --git a/src/python-common/ceph/deployment/service_spec.py b/src/python-common/ceph/deployment/service_spec.py
index c10259729ba0..7d813d1f79ee 100644
--- a/src/python-common/ceph/deployment/service_spec.py
+++ b/src/python-common/ceph/deployment/service_spec.py
@@ -1749,6 +1749,7 @@ class NvmeofServiceSpec(ServiceSpec):
                  monitor_timeout: Optional[float] = 1.0,
                  enable_monitor_client: bool = True,
                  monitor_client_log_file_dir: Optional[str] = '',
+                 kmip_cert_dir: Optional[str] = './certs/kmip/{server_name}',
                  placement: Optional[PlacementSpec] = None,
                  unmanaged: bool = False,
                  preview_only: bool = False,
@@ -1972,6 +1973,8 @@ class NvmeofServiceSpec(ServiceSpec):
         self.enable_monitor_client = enable_monitor_client
         #: ``monitor_client_log_file_dir`` the monitor client log output file file directory
         self.monitor_client_log_file_dir = monitor_client_log_file_dir
+        #: ``kmip_cert_dir`` directory for KMIP servers keys and certificates
+        self.kmip_cert_dir = kmip_cert_dir
 
     def get_port_start(self) -> List[int]:
         return [self.port, 4420, self.discovery_port, self.prometheus_port]